The hack could have come from a number of places, but the fact that only wordpress sites are infected doesnt mean the vulnerability is in wordpress – it only means the hackers targeted wordpress installs once they got in.
On a shared server, on a single account, once an attacker is in, they generally have access to every site on the server. Hence – they just needed to get in somewhere, and then they could scan and hit each wordpress site.
Cleaning up hacks is tricky business. If you’re not familiar with the process yourself, it’s worth hiring someone to do it for you. The hacker has likely left themselves a backdoor to come back in – so even if you clean up all the iframe code, they’ll come back and put it right back in.
Unfortunately this is all too common, MySQL injections are a likely cause.
You should get into contact with your host and see if there isn’t a message from them about any sort of compromised server or others having the same issue. It has happened to me and while it takes forever for them to fix, if the attack is big enough the host sometimes applies a patch to remove the malicious scripts.
You may also want to revert to backup / take the site down or otherwise make sure that you are not being blacklisted by Google. If you leave malicious code on your page, it’s a very real possibility that the next time Google crawls you and finds it your visitors will be hit with the big red “THIS SITE HAS MALICIOUS CODE” in their browser (a few modern browsers pull from Google’s blacklist). This is a huge pain in the ass, suffice it to say. If you do get blacklisted, you’re going to need to use Webmaster tools to request a re-crawl once you have yourself sorted.
The best thing to do is to keep off-site backups. There are a couple of Plugins which make this effortless. Keep one locally for ease of access and one to Amason S3.
Also, keep your registrar separate from your host. Oftentimes during a massive attack your hosting provider’s admin tools will become unresponsive, or just plain deactivated because so many people are trying to jump ship at once. With a different registrar (hopefully unaffected) you can switch your DNS to a new host that you install a new instance of your site using the backup.
Sorry for the late reply – have spent the last couple of days wiping my system and re-installing everything and trying to get things under control on our servers. Unfortunately we had a whole bunch of other sites infected as well and I know now it’s not limited to wordpress.
Ugh…
Thanks for all the replies.
I had the same issue before. The very good way of protecting your site is managing permissions to read_only. Set the whole public_html dir on your server to be read_only and allow admins to change permissions during the time they do modifications. This will only be vulnerable during that administration time. This really worked for me.
The drawback is that you need to have clever admins who don’t forget to restrict access to public_html once they finish administering.
